kubernetes: Ephemeral container can't work with restricted PodSecurity

What happened?

I want to start an ephemeral container for a pod under namespace with restricted PodSecurity. I got following error: Warning FailedCreate 59s (x6 over 2m20s) replicaset-controller (combined from similar events): Error creating: pods “ephemeral-demo-74d9cfc58f-jbdpg” is forbidden: violates PodSecurity “restricted:latest”: allowPrivilegeEscalation != false (container “ephemeral-demo” must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container “ephemeral-demo” must set securityContext.capabilities.drop=[“ALL”]), runAsNonRoot != true (pod or container “ephemeral-demo” must set securityContext.runAsNonRoot=true), seccompProfile (pod or container “ephemeral-demo” must set securityContext.seccompProfile.type to “RuntimeDefault” or “Localhost”)

What did you expect to happen?

Ephemeral container can be created successfully, an gets default capabilities, just like with PSP.

How can we reproduce it (as minimally and precisely as possible)?

  1. create a “restricted” namepsace.
  2. create a pod under that namespace.
  3. create a ephemeral container via “kubectl debug”.

Anything else we need to know?

No response

Kubernetes version

$ kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.0", GitCommit:"4ce5a8954017644c5420bae81d72b09b735c21f0", GitTreeState:"clean", BuildDate:"2022-05-03T13:46:05Z", GoVersion:"go1.18.1", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.0", GitCommit:"4ce5a8954017644c5420bae81d72b09b735c21f0", GitTreeState:"clean", BuildDate:"2022-05-03T13:38:19Z", GoVersion:"go1.18.1", Compiler:"gc", Platform:"linux/amd64"}

Cloud provider

kubeadm on a server

OS version

# On Linux:
$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
$ uname -a
Linux foss-ssc-11 5.1.11-1.el7.elrepo.x86_64 #1 SMP Mon Jun 17 15:51:08 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux

</details>


### Install tools

<details>

</details>


### Container runtime (CRI) and version (if applicable)

<details>

</details>


### Related plugins (CNI, CSI, ...) and versions (if applicable)

<details>

</details>

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 20 (9 by maintainers)

Most upvoted comments

So “bypassing security policy” is done by “usernames” configured by “exemptions”, “debugging profile” is only used to set ephemeral container securityContext. Is my current understanding right? :-) @liggitt @verb

+1
tonyaw on Jun 14, 2022
Read more comments on GitHub
← kubernetes: envFrom not working in ephemeral containers: failed to sync secret cache
kubernetes: Ephemeral container fails to be created for Static Pod →